‍When Mahdi Abdulrazak began hacking systems at the age of 15, his goal wasn’t to break things, it was to understand how they worked. That early curiosity evolved into a career spanning more than two decades at the forefront of cybersecurity. He serves as Group Information Security and Risk Officer at SHV Energy, where he is responsible for protecting IT and OT infrastructure across 25+ countries. He’s also a board member of the CISO Platform Nederland and an ambassador to ECSO, advocating for national resilience through ecosystem collaboration.

For Mahdi, cybersecurity has grown beyond a technical challenge - it’s a leadership responsibility, a strategic advantage, and increasingly, a civic duty. We sat down with him to explore the mindset and methods behind his approach and what it takes to lead in an era shaped by deepfakes, cyberwarfare, and accelerating complexity.

What inspired your journey from ethical hacker to global CISO, and what continues to drive you today?

“At 15, I was already exploring systems, trying to understand how they work and where they break. That curiosity never left me. What changed is the mission. Today, I’m not just protecting infrastructure; I’m protecting people, businesses, and even societies from the ripple effects of cyber threats. Cybersecurity isn’t just a profession - it’s a societal mission. If we want to protect our digital future, we need to lead with purpose and embed that responsibility across every layer of the organization.”

How do you assess the growing risks of cyberwarfare and AI-driven threats in today’s landscape?

“Cyberwarfare is now a reality. Attacks are increasingly targeting critical infrastructure and supply chains, systems that impact civilians directly. At the same time, AI has introduced new risks: deepfakes, synthetic identities, and adversarial machine learning. These aren’t theoretical anymore. We’ve seen financial fraud and social engineering attacks driven by these technologies. We must prepare not just for more intelligent attacks, but for a fundamentally different kind of battlefield.”

As attacks grow more sophisticated, how do you stay ahead of threats?

“You can’t defend what you don’t understand. That’s why a hybrid strategy is essential - combining strong defense with controlled offense by leveraging AI-powered tools and offensive engineering to think like hackers, and prioritizing based on ‘hackability,’ not just vulnerability scores. How would an attacker think? What paths would they exploit? Simulating those tactics reveals blind spots and enables faster, smarter remediation. AI helps scale that effort, for example, with platforms that scan environments like an attacker would.”

What are the key ingredients for building true resilience?

“You can’t protect everything, so don’t try. The strategy is simple: identify the crown jewels, understand the business impact if they go down, and protect them with everything we’ve got. But protection alone isn’t enough. Resilience means you’ve planned, prioritized, and trained. Full crisis simulations should be conducted not just for IT, but also for the board, business leaders, and operations. In real incidents, chaos is guaranteed. So it’s important to prepare for speed, clarity, and coordination, and push for security by design. If something isn’t secure when it leaves the factory, you’re stuck playing catch-up forever. Regulation is helping, especially around IoT, but there’s still progress to be made.”

How do you tackle the challenge of complexity?

“Complexity is the enemy. In global organizations with legacy systems, hybrid cloud, and dozens of vendors, it’s easy to lose control and when you lose control, you lose visibility. Simplification is key: standardizing controls, enforcing architectural principles, and reducing unnecessary variation. Complexity introduces not only technical risk, but operational and regulatory risk too. Security must be integrated into architecture from day one. If you bolt it on later, it becomes fragile and expensive.”

In your view, how is the CISO role evolving and redefining itself?

“A modern CISO is someone who understands how the business works, what drives it, what risks it can absorb, and where security can actually create value. The old model of security as a blocker doesn’t work anymore. Today, we’re here to securely enable digital transformation. That means being in the room where strategy is shaped. It means translating risk into language that the board understands. It means being visible, communicative, and trusted.”

Finally, given your leadership role in the CISO community, what do you believe is key to shaping the future of cybersecurity?

“Cybersecurity isn’t just a company problem, it’s a national one. And no single entity can fix it alone. We need collaboration across academia, government, and the private sector. One area I care deeply about is fostering local innovation. If we rely only on global tech giants, we’re putting our sovereignty at risk. We need to invest in European cybersecurity startups, not just for the tech, but to build a stronger talent pipeline. At the CISO Platform Nederland, I focus on Strategy & Governance, but also on alignment. The more aligned we are across sectors, the more resilient we become as a country. That’s the big picture.”

Mahdi, thank you for sharing your vision, experience, and commitment to advancing security for both organizations and society.

‍